Practice Free CISA Exam Online Questions
Question #11
Which of the following should be the PRIMARY role of an internal audit function in the management of identified business risks?
- A . Establishing a risk appetite
- B . Establishing a risk management framework
- C . Validating enterprise risk management (ERM)
- D . Operating the risk management framework
Correct Answer: C
C
Explanation:
The primary role of an internal audit function in the management of identified business risks is to validate the enterprise risk management (ERM) process and provide assurance on its effectiveness. The internal audit function should evaluate whether the ERM process is aligned with the organization’s objectives, strategies, policies and culture, and whether it covers all relevant risks and controls. The internal audit function should also assess whether the ERM process is operating as designed and producing reliable and timely information for decision making. The other options are not the primary role of an internal audit function, but rather the responsibilities of senior management, board of directors or risk owners.
Reference: ISACA, CISA Review Manual, 27thEdition, chapter 1, section 1.41
ISACA, IT Audit and Assurance Standards, Guidelines and Tools and Techniques for IS Audit and Assurance Professionals, section 12072
C
Explanation:
The primary role of an internal audit function in the management of identified business risks is to validate the enterprise risk management (ERM) process and provide assurance on its effectiveness. The internal audit function should evaluate whether the ERM process is aligned with the organization’s objectives, strategies, policies and culture, and whether it covers all relevant risks and controls. The internal audit function should also assess whether the ERM process is operating as designed and producing reliable and timely information for decision making. The other options are not the primary role of an internal audit function, but rather the responsibilities of senior management, board of directors or risk owners.
Reference: ISACA, CISA Review Manual, 27thEdition, chapter 1, section 1.41
ISACA, IT Audit and Assurance Standards, Guidelines and Tools and Techniques for IS Audit and Assurance Professionals, section 12072
Question #12
Which of the following BEST describes the process of creating a digital envelope?
- A . The encryption key is compressed within a folder after a message is encoded using symmetric encryption.
- B . A message is encoded using symmetric encryption, and then the encryption key is secured using public key encryption.
- C . The message is hashed, and the hash total is sent using symmetric encryption.
- D . A message digest is encrypted using asymmetric encryption, and the encryption key is sent using asymmetric encryption.
Correct Answer: B
B
Explanation:
A digital envelope combines the strengths of symmetric and asymmetric cryptography. The message itself is encrypted using a fast symmetric algorithm. The session key used for symmetric encryption is then encrypted using the recipient’s public key. This ensures efficiency (large data encrypted quickly with symmetric keys) and security (session key securely transmitted using asymmetric encryption).
Options A, C, and D describe other cryptographic processes (compression, hashing, or digital signatures) but do not correctly represent a digital envelope. ISACA training materials and CISA manuals highlight this hybrid approach as the standard method for secure data transmission.
Reference (ISACA): CISA Review Manual C Cryptography Concepts; ISACA Glossary.
B
Explanation:
A digital envelope combines the strengths of symmetric and asymmetric cryptography. The message itself is encrypted using a fast symmetric algorithm. The session key used for symmetric encryption is then encrypted using the recipient’s public key. This ensures efficiency (large data encrypted quickly with symmetric keys) and security (session key securely transmitted using asymmetric encryption).
Options A, C, and D describe other cryptographic processes (compression, hashing, or digital signatures) but do not correctly represent a digital envelope. ISACA training materials and CISA manuals highlight this hybrid approach as the standard method for secure data transmission.
Reference (ISACA): CISA Review Manual C Cryptography Concepts; ISACA Glossary.
Question #13
The waterfall life cycle model of software development is BEST suited for which of the following situations?
- A . The project will involve the use of new technology.
- B . The project intends to apply an object-oriented design approach.
- C . The project requirements are well understood.
- D . The project is subject to time pressures.
Correct Answer: C
Question #14
Which of the following should be the PRIMARY consideration when validating a data analytic algorithm that has never been used before?
- A . Enhancing the design of data visualization
- B . Increasing speed and efficiency of audit procedures
- C . Confirming completeness and accuracy
- D . Decreasing the time for data analytics execution
Correct Answer: C
Question #15
Which of the following is the BEST metric to measure the alignment of IT and business strategy?
- A . Level of stakeholder satisfaction with the scope of planned IT projects
- B . Percentage of enterprise risk assessments that include IT-related risk
- C . Percentage of stat satisfied with their IT-related roles
- D . Frequency of business process capability maturity assessments
Correct Answer: B
B
Explanation:
The best metric to measure the alignment of IT and business strategy is the percentage of enterprise risk assessments that include IT-related risk. This metric indicates how well the organization identifies and manages the IT risks that could affect its strategic objectives and performance. A high percentage of enterprise risk assessments that include IT-related risk shows that the organization considers IT as an integral part of its business strategy and aligns its IT resources and capabilities with its business needs and goals.
Reference:: CISA Review Manual (Digital Version), Chapter 2: Governance and Management of IT, Section 2.2: IT Strategy, page 67: CISA Online Review Course, Module 2: Governance and Management of IT, Lesson 2.2: IT Strategy
B
Explanation:
The best metric to measure the alignment of IT and business strategy is the percentage of enterprise risk assessments that include IT-related risk. This metric indicates how well the organization identifies and manages the IT risks that could affect its strategic objectives and performance. A high percentage of enterprise risk assessments that include IT-related risk shows that the organization considers IT as an integral part of its business strategy and aligns its IT resources and capabilities with its business needs and goals.
Reference:: CISA Review Manual (Digital Version), Chapter 2: Governance and Management of IT, Section 2.2: IT Strategy, page 67: CISA Online Review Course, Module 2: Governance and Management of IT, Lesson 2.2: IT Strategy
Question #16
An IS audit reveals that an organization operating in business continuity mode during a pandemic situation has not performed a simulation test of the business continuity plan (BCP).
Which of the following is the auditor’s BEST course of action?
- A . Confirm the BCP has been recently updated.
- B . Review the effectiveness of the business response.
- C . Raise an audit issue for the lack of simulated testing.
- D . Interview staff members to obtain commentary on the BCP’s effectiveness.
Correct Answer: B
B
Explanation:
This is because the auditor’s primary objective is to evaluate the adequacy and performance of the business continuity plan (BCP) in ensuring the continuity and resilience of the organization’s critical functions and processes during a disruption. The auditor should review the actual results and outcomes of the business response, such as the recovery time, recovery point, service level, customer satisfaction, and incident management, and compare them with the predefined objectives and criteria of the BCP. The auditor should also identify and analyze any gaps, issues, or lessons learned from the business response, and provide recommendations for improvement12.
Answer
B
Explanation:
This is because the auditor’s primary objective is to evaluate the adequacy and performance of the business continuity plan (BCP) in ensuring the continuity and resilience of the organization’s critical functions and processes during a disruption. The auditor should review the actual results and outcomes of the business response, such as the recovery time, recovery point, service level, customer satisfaction, and incident management, and compare them with the predefined objectives and criteria of the BCP. The auditor should also identify and analyze any gaps, issues, or lessons learned from the business response, and provide recommendations for improvement12.
Answer
Question #17
When an IS audit reveals that a firewall was unable to recognize a number of attack attempts, the auditor’s BEST recommendation is to place an intrusion detection system (IDS) between the firewall and:
- A . the organization’s web server.
- B . the demilitarized zone (DMZ).
- C . the organization’s network.
- D . the Internet
Correct Answer: D
D
Explanation:
The best recommendation is to place an intrusion detection system (IDS) between the firewall and the Internet. An IDS is a device or software that monitors network traffic for malicious activity and alerts the network administrator or takes preventive action. By placing an IDS between the firewall and the Internet, the IS auditor can enhance the security of the network perimeter and detect any attack attempts that the firewall was unable to recognize.
The other options are not as effective as placing an IDS between the firewall and the Internet:
Placing an IDS between the firewall and the organization’s web server would not protect the web server from external attacks that bypass the firewall. The web server should be placed in a demilitarized zone (DMZ), which is a separate network segment that isolates public-facing servers from the internal network.
Placing an IDS between the firewall and the demilitarized zone (DMZ) would not protect the DMZ from external attacks that bypass the firewall. The DMZ should be protected by twofirewalls, one facing the Internet and one facing the internal network, with an IDS monitoring both sides of each firewall.
Placing an IDS between the firewall and the organization’s network would not protect the organization’s network from external attacks that bypass the firewall. The organization’s network should be protected by a firewall that blocks unauthorized traffic from entering or leaving the network, with an IDS monitoring both sides of the firewall.
D
Explanation:
The best recommendation is to place an intrusion detection system (IDS) between the firewall and the Internet. An IDS is a device or software that monitors network traffic for malicious activity and alerts the network administrator or takes preventive action. By placing an IDS between the firewall and the Internet, the IS auditor can enhance the security of the network perimeter and detect any attack attempts that the firewall was unable to recognize.
The other options are not as effective as placing an IDS between the firewall and the Internet:
Placing an IDS between the firewall and the organization’s web server would not protect the web server from external attacks that bypass the firewall. The web server should be placed in a demilitarized zone (DMZ), which is a separate network segment that isolates public-facing servers from the internal network.
Placing an IDS between the firewall and the demilitarized zone (DMZ) would not protect the DMZ from external attacks that bypass the firewall. The DMZ should be protected by twofirewalls, one facing the Internet and one facing the internal network, with an IDS monitoring both sides of each firewall.
Placing an IDS between the firewall and the organization’s network would not protect the organization’s network from external attacks that bypass the firewall. The organization’s network should be protected by a firewall that blocks unauthorized traffic from entering or leaving the network, with an IDS monitoring both sides of the firewall.
Question #18
Which of the following BEST enables an organization to verify whether an encrypted message sent by a client has been altered?
- A . The digital signature
- B . The message header
- C . The date and time stamp of the received message
- D . The sender’s private key
Correct Answer: A
Question #19
During a follow-up audit, it was found that a complex security vulnerability of low risk was not resolved within the agreed-upon timeframe. IT has stated that the system with the identified vulnerability is being replaced and is expected to be fully functional in two months.
Which of the following is the BEST course of action?
- A . Require documentation that the finding will be addressed within the new system
- B . Schedule a meeting to discuss the issue with senior management
- C . Perform an ad hoc audit to determine if the vulnerability has been exploited
- D . Recommend the finding be resolved prior to implementing the new system
Correct Answer: A
A
Explanation:
Requiring documentation that the finding will be addressed within the new system is the best course of action for a follow-up audit. An IS auditor should obtain evidence that the complex security vulnerability of low risk will be resolved in the new system and that there is a reasonable timeline for its implementation. The other options are not appropriate courses of action, as they may be too costly, time-consuming, or impractical for a low-risk finding.
Reference: CISA Review Manual (Digital Version), Chapter 2, Section 2.5.31
CISA Review Questions, Answers& Explanations Database, Question ID 209
A
Explanation:
Requiring documentation that the finding will be addressed within the new system is the best course of action for a follow-up audit. An IS auditor should obtain evidence that the complex security vulnerability of low risk will be resolved in the new system and that there is a reasonable timeline for its implementation. The other options are not appropriate courses of action, as they may be too costly, time-consuming, or impractical for a low-risk finding.
Reference: CISA Review Manual (Digital Version), Chapter 2, Section 2.5.31
CISA Review Questions, Answers& Explanations Database, Question ID 209
Question #20
Controls related to authorized modifications to production programs are BEST tested by:
- A . tracing modifications from the original request for change forward to the executable program.
- B . tracing modifications from the executable program back to the original request for change.
- C . testing only the authorizations to implement the new program.
- D . reviewing only the actual lines of source code changed in the program.
Correct Answer: A
A
Explanation:
Controls related to authorized modifications to production programs are best tested by tracing modifications from the original request for change forward to the executable program, as this ensures that the change management process was followed and that the modifications were approved, documented, tested, and implemented correctly. Tracing modifications from the executable program back to the original request for change may not reveal any unauthorized or undocumented changes that occurred during the process. Testing only the authorizations to implement the new program or reviewing only the actual lines of source code changed in the program are not sufficient to test the controls related to authorized modifications, as they do not cover the entire change management process.
Reference: CISA Review Manual (Digital Version), Chapter 4: Information Systems Operations, Maintenance and Service Management, Section 4.2: Change Management
A
Explanation:
Controls related to authorized modifications to production programs are best tested by tracing modifications from the original request for change forward to the executable program, as this ensures that the change management process was followed and that the modifications were approved, documented, tested, and implemented correctly. Tracing modifications from the executable program back to the original request for change may not reveal any unauthorized or undocumented changes that occurred during the process. Testing only the authorizations to implement the new program or reviewing only the actual lines of source code changed in the program are not sufficient to test the controls related to authorized modifications, as they do not cover the entire change management process.
Reference: CISA Review Manual (Digital Version), Chapter 4: Information Systems Operations, Maintenance and Service Management, Section 4.2: Change Management